Open registration — Registration is open to all OAuth Clients. This is intended for social Login providers as well as for Identity Provider (IDP)s and services that are set up for automatic discovery. Requests should be rate limited to prevent DoS attacks.

Managed registration — An initial OAuth 2.0Access Token is required for registration. The Access Token is issued after the client application has passed an approval or screening process.

The importance of having a standard server endpoint for client registration was recognised early on by the WGs behind OAuth 2.0 and OpenID Connect. They have published the following documents to address this:

In addition to the collision-resistant properties, requiring a URI Scheme based on a DNS Domain name that is under the control of the app can help to prove ownership in the event of a dispute where two apps claim the same Private URI Scheme (where one app is acting maliciously). For example, if two apps claimed "com.example.app", the owner of "example.com" could petition the app store operator to remove the counterfeit app. Such a petition is harder to prove if a generic URI scheme was used.

Authorization ServersMAY request the inclusion of other platform-specific information, such as the app package or bundle name, or other information that may be useful for verifying the calling app's identity on Operating Systems that support such functions.